UAA uses the OpenJDK Java Runtime Environment TrustManager to store trusted certificates. TrustManager does not by default check certificates for expiration. UAA was found to accept expired certificates.

Mitigation

Users of affected versions should apply the following mitigation:

Upgrade to Cloud Foundry v240 [1] or later

For standalone UAA users

For users using UAA Version 3.0.0 - 3.4.0, please upgrade to UAA Release to v3.3.0.3 [3] or v3.4.2 [4]

For users using standalone UAA Version 2.X.X, please upgrade to UAA Release to v2.7.4.6 [2]

For users using UAA-Release (UAA bosh release), please upgrade to UAA-Release v12.3 [5] if upgrading to v3.4.2 [4] or v11.3 [6] if upgrading to v3.3.0.3 [3]